Логотип exploitDog
product: "node.js"
Консоль
Логотип exploitDog

exploitDog

product: "node.js"
Node.js

Node.jsпрограммная платформа, основанная на движке V8 (компилирующем JavaScript в машинный код)

Релизный цикл, информация об уязвимостях

Продукт: Node.js
Вендор: nodejs

График релизов

20212223242023202420252026202720282029

Недавние уязвимости Node.js

Количество 1 009

ubuntu логотип

CVE-2021-32050

почти 2 года назад

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).

CVSS3: 4.2
EPSS: Низкий
github логотип

GHSA-g467-j8jp-rq97

почти 2 года назад

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVSS3: 9.8
EPSS: Низкий
nvd логотип

CVE-2023-32559

почти 2 года назад

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVSS3: 7.5
EPSS: Низкий
debian логотип

CVE-2023-32559

почти 2 года назад

A privilege escalation vulnerability exists in the experimental policy ...

CVSS3: 7.5
EPSS: Низкий
ubuntu логотип

CVE-2023-32559

почти 2 года назад

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVSS3: 7.5
EPSS: Низкий
github логотип

GHSA-9m48-r3w4-x35v

почти 2 года назад

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVSS3: 9.8
EPSS: Низкий
nvd логотип

CVE-2023-32002

почти 2 года назад

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVSS3: 9.8
EPSS: Низкий
debian логотип

CVE-2023-32002

почти 2 года назад

The use of `Module._load()` can bypass the policy mechanism and requir ...

CVSS3: 9.8
EPSS: Низкий
ubuntu логотип

CVE-2023-32002

почти 2 года назад

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVSS3: 9.8
EPSS: Низкий
github логотип

GHSA-356r-x8g9-vh8c

почти 2 года назад

The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVSS3: 8.8
EPSS: Низкий

Уязвимостей на страницу

Уязвимость
CVSS
EPSS
Опубликовано
1
ubuntu логотип
CVE-2021-32050

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).

CVSS3: 4.2
0%
Низкий
почти 2 года назад
github логотип
GHSA-g467-j8jp-rq97

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVSS3: 9.8
0%
Низкий
почти 2 года назад
nvd логотип
CVE-2023-32559

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVSS3: 7.5
0%
Низкий
почти 2 года назад
debian логотип
CVE-2023-32559

A privilege escalation vulnerability exists in the experimental policy ...

CVSS3: 7.5
0%
Низкий
почти 2 года назад
ubuntu логотип
CVE-2023-32559

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVSS3: 7.5
0%
Низкий
почти 2 года назад
github логотип
GHSA-9m48-r3w4-x35v

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVSS3: 9.8
0%
Низкий
почти 2 года назад
nvd логотип
CVE-2023-32002

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVSS3: 9.8
0%
Низкий
почти 2 года назад
debian логотип
CVE-2023-32002

The use of `Module._load()` can bypass the policy mechanism and requir ...

CVSS3: 9.8
0%
Низкий
почти 2 года назад
ubuntu логотип
CVE-2023-32002

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVSS3: 9.8
0%
Низкий
почти 2 года назад
github логотип
GHSA-356r-x8g9-vh8c

The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVSS3: 8.8
0%
Низкий
почти 2 года назад

Уязвимостей на страницу


Поделиться